Publications

Greetings, Earlier this week, we released our eleventh episode of Share Today, Save Tomorrow. Ethics, trust and collaboration form part of the discussion this month with Jeroen van der Ham and Shawn Richardson feature, providing their insights and sharing their experiences with this developing area within our industry. Today, April 29 2022, is the 40th International Dance Day which has grown into a celebration for those who can see the value and importance in the art form that is dance. Whether it’s toddlers bopping along to their favourite song or the perennial favourite ‘foot shuffle/shoulder shrug’ combo most often seen at weddings, we all have a move or routine that gets us moving when the moment and music is right! To commemorate this occasion, there will be an online celebration featuring five dance productions, each from one region (Africa, Asia-Pacific, the Americas, Europe, and Arab Countries) that will be worth watching if you appreciate dance or, would like some tips! Not to alarm people, but next week we see the arrival of May! Not only does this signify our approach towards the halfway point of 2022 but, also the imminent commencement of AUSCERT2022! A little over a week remains to register for Australia’s premier cyber security conference. We have a few surprises in store, along with the fantastic program that you can check out online, so be sure to register today as you won’t want to miss out! Manage and monitor third-party identities to protect your organization Date: 2022-04-26 Author: Help Net Security SecZetta shared a research that demonstrates a clear misalignment between the strategies organizations currently use and what is actually required to protect them from cyberattacks due to third-party vulnerabilities. At a time when cyberattacks are increasing in size, frequency, and impact, this research found most organizations are not taking the necessary steps to manage and monitor the lifecycle of their third-party identities, making them more vulnerable to cyber incidents. To strengthen cybersecurity programs and better manage identity lifecycles, including third-party and non-human workers, organizations need stronger third-party identity management strategies and solutions. Quarterly Report: Incident Response trends in Q1 2022 Date: 2022-04-26 Author: Cisco Talos Ransomware was still the top threat Cisco Talos Incident Response (CTIR) saw in active engagements this quarter, continuing a trend that started in 2020. As mentioned in the 2021 year-in-review report, CTIR continues to deal with an expanding set of ransomware adversaries and major cybersecurity incidents affecting organizations worldwide. The first quarter of 2022 also featured an increase in engagements involving advanced persistent threat (APT) activity. This included Iranian state-sponsored MuddyWater APT activity, China-based Mustang Panda activity leveraging USB drives to deliver the PlugX remote access trojan (RAT), and a suspected Chinese adversary dubbed “Deep Panda” exploiting Log4j. Five Eyes nations reveal 2021’s fifteen most-exploited flaws Date: 2022-04-28 Author: The Register Security flaws in Log4j, Microsoft Exchange, and Atlassian’s workspace collaboration software were among the bugs most frequently exploited by “malicious cyber actors” in 2021 , according to a joint advisory by the Five Eyes nations’ cybersecurity and law enforcement agencies. It’s worth noting that 11 of the 15 flaws on the list were disclosed in 2021, as previous years’ lists often found miscreants exploiting the older vulns for which patches had been available for years. BlackCat Ransomware gang breached over 60 orgs worldwide Date: 2022-04-25 Author: Security Affairs The U.S. Federal Bureau of Investigation (FBI) published a flash report that states that at least 60 entities worldwide have been breached by BlackCat ransomware (aka ALPHV and Noberus) since it started its operations in November. “The Federal Bureau of Investigation (FBI) has released a Flash report detailing indicators of compromise (IOCs) associated with attacks involving BlackCat/ALPHV, a Ransomware-as-a-Service that has compromised at least 60 entities worldwide.” reads the flash advisory. “CISA encourages users and administrators to review the IOCs and technical details in FBI Flash CU-000167-MW and apply the recommended mitigations.” How Industry Leaders Should Approach Open Source Security Date: 2022-04-28 Author: Dark Reading Security has long been a point of concern in the open source community. If not managed carefully, the same openness that allows innovative code contributions from global users can also present vulnerable attack surfaces for malicious actors. In fact, when asked about roadblocks preventing their organizations’ use of open source, respondents to Anaconda’s 2021 State of Data Science report cited “Fear of CVEs, potential exposures, or risks” (41%) and “Open source software is deemed insecure, so it’s not allowed,” (26%) among other concerns. Yet open source drives innovation, and there are ways to dramatically decrease the potential risks that arise from the use of open source software. This is why many organizations take a “best of both worlds” approach, adopting open source while prioritizing security measures. ESB-2022.1792 – Tenable.sc third party components: CVSS (Max): 9.8 Tenable has provided a patch to address multiple vulnerable third party software used by Tenable ESB-2022.1870 – grafana: CVSS (Max): 9.8 Multiple vulnerabilities affecting Grafana has now been fixed under version 8.3.5 and 7.5.15 ESB-2022.1907 – Google Chrome: CVSS (Max): None Google Chrome 101 is available for users as a stable version fixing several vulnerabilities ASB-2022.0119 – Microsoft Edge (Chromium-based): CVSS (Max): 8.3* Microsoft has also addressed Chrome’s CVE in Microsoft Edge and added 2 additional CVEs in its upstream product Stay safe, stay patched and have a good weekend! The AUSCERT team

LISTEN HERE: AUSCERT “Share Today, Save Tomorrow”, Ep 11: Ethics   In this episode, AUSCERT features the following guests: Shawn Richardson, FIRST and Senior Manager, Product Security Incident Response at NVIDIA Jeroen van der Ham, FIRST and University of Twente Mark Carey-Smith, Principal Analyst, AUSCERT Anthony chats with Shawn and Jeroen, both Chairs of the FIRST (Forum of Incident Response and Security Teams) Ethics SIG, about ethics in incident response and their respective journeys into the cyber security arena. Also discussed is the need to develop and sustain trust and how a code of ethics can assist teams to positively contribute to and understand the changing world we all work within. Continuing with the theme of ethics, Mark and Bek revisit some of the key items raised in the previous chat, including not being able to apply a technical solution to ethical situations in addition to the growing focus on people. They then chat about the upcoming AUSCERT2022 cyber security conference with an overview of some of the tutorials being conducted. This episode was hosted by Anthony Caruana and Bek Cheb. Our podcasts aim to provide fascinating insights, great stories from the field and lessons you can take back to your workplace. If you have any ideas or suggestions for what we can talk about, please let us know! The AUSCERT podcast can also be found on Spotify, Apple Podcasts and Google Podcasts.

LISTEN HERE: AUSCERT “Share Today, Save Tomorrow”, Ep 10 – Security Orchestration, Automation and Response (SOAR)   In this episode, AUSCERT features the following guests: Virginia Calegare, RightSec, Founding Director, Cyber Security Adviser JP Haywood, Acumenis, Senior Security Consultant Dushyant Sattiraju, Deakin University, Manager, Cybersecurity Operations and Engineering Mike Holm, AUSCERT, Senior Manager Anthony chats with Virginia, JP and Dushyant about Security Orchestration, Automation, and Response – or SOAR – the topic for last year’s conference and how it can benefit organisational processes, automation and improving efficiencies – regardless of size. Later in the episode, Mike and Bek talk about the malicious URL feed and how it works with SOAR, Member Slack, AUSCERT’s AusISAC and how these can benefit members as well as a bit of a teaser for the upcoming cyber security conference. This episode was hosted by Anthony Caruana and Bek Cheb. Our podcasts aim to provide fascinating insights, great stories from the field and lessons you can take back to your workplace. If you have any ideas or suggestions for what we can talk about, please let us know! The AUSCERT podcast can also be found on Spotify, Apple Podcasts and Google Podcasts.

Greetings, The commemoration of ANZAC Day has become entrenched in Australia and New Zealand’s identity, marking the anniversary of the first major military action fought by members of the Australian and New Zealand Army Corps (ANZAC). The Light Up The Dawn website, coordinated by RSL Australia, is the perfect place to learn about how you can commemorate those who are serving and those who have served. Lest We Forget. Sadly, the presence of war remains today with the conflict in Ukraine showing no signs of easing. Although Easter is being observed in Russia this Sunday, April 24th, The Cyber Wire update earlier this week stated that governments in the west shouldn’t let their guard down concerning potential cyber attacks. AUSCERT has seen a surge in registrations for this year’s conference over the past few days which is exciting news! With just over two weeks to go until Australia’s premier information security conference gets underway, we encourage anyone interested in coming along to check out our sensational line-up of speakers and tutorials and Register Today for AUSCERT2022! Lastly, AUSCERT is recruiting for two Software Developers with skills in Python on Linux platforms, and what an opportunity for developers with an interest in cyber security! As part of the AUSCERT team, you'd work along side Analysts and Infrastructure Engineers and, speaking of the AUSCERT Conference, you also get the chance to participate in the event too! CISA warns of attackers now exploiting Windows Print Spooler bug Date: 2022-04-19 Author: Bleeping Computer The Cybersecurity and Infrastructure Security Agency (CISA) has added three new security flaws to its list of actively exploited bugs, including a local privilege escalation bug in the Windows Print Spooler. This high severity vulnerability (tracked as CVE-2022-22718) impacts all versions of Windows per Microsoft's advisory and it was patched during the February 2022 Patch Tuesday. The only information Microsoft shared about this security flaw is that threat actors can exploit it locally in low-complexity attacks without user interaction. Google Project Zero Detects a Record Number of Zero-Day Exploits in 2021 Date: 2022-04-20 Author: The Hacker News Google Project Zero called 2021 a "record year for in-the-wild 0-days," as 58 security vulnerabilities were detected and disclosed during the course of the year. The development marks more than a two-fold jump from the previous maximum when 28 0-day exploits were tracked in 2015. In contrast, only 25 0-day exploits were detected in 2020. "The large uptick in in-the-wild 0-days in 2021 is due to increased detection and disclosure of these 0-days, rather than simply increased usage of 0-day exploits," Google Project Zero security researcher Maddie Stone said. US and allies warn of Russian hacking threat to critical infrastructure Date: 2022-04-20 Author: Bleeping Computer Today, Five Eyes cybersecurity authorities warned critical infrastructure network defenders of an increased risk that Russia-backed hacking groups could target organizations within and outside Ukraine's borders. The warning comes from cybersecurity agencies in the United States, Australia, Canada, New Zealand, and the United Kingdom in a joint cybersecurity advisory with info on Russian state-backed hacking operations and Russian-aligned cybercrime groups. Hackers can infect >100 Lenovo models with unremovable malware. Are you patched? Date: 2022-04-20 Author: Ars Technica Lenovo has released security updates for more than 100 laptop models to fix critical vulnerabilities that make it possible for advanced hackers to surreptitiously install malicious firmware that can be next to impossible to remove or, in some cases, to detect. Attacker Dwell Times Down, But No Consistent Correlation to Breach Impact: Mandiant Date: 2022-04-19 Author: SecurityWeek.Com The good news is that median intruder dwell time is down again – down from 24 days in 2020 to 21 days in 2021. The bad news is the figure gives little indication of the true nature of successful intruder activity across the whole security ecosphere. Dwell time is the length of time between assumed initial intrusion and detection of an intrusion. The usual assumption is that the shorter the dwell time, the less damage can be done. This is not a valid assumption across all intrusions. The figures come from Mandiant’s M-Trends 2022 report, which is based on the firm’s breach investigations between October 1, 2020, and December 31, 2021. They show that the median dwell time figure has consistently declined over the last few years: from 205 days in 2014 through 78 (2018), 56 (2019), 24 (2020) to 21 (2021). The problem is that the dwell time has no consistent correlation to the breach effect. ESB-2022.1726 – Cisco Umbrella Virtual Appliance: CVSS (Max): 7.5 A vulnerability could allow an unauthenticated, remote attacker to impersonate a Virtual Appliance. One of many Cisco bulletins this week. ASB-2022.0113 – Oracle Communications Applications: CVSS (Max): 10.0 It was Oracle's 3-monthly patch day this week (Critical Patch Update). Some of the CVSS ratings reached 10.0. ASB-2022.0091 – Oracle Virtualization: CVSS (Max): 9.0 Another Oracle product affected was the popular VM VirtualBox. ESB-2022.1714 – Siemens OpenSSL Vulnerabilities in Industrial Products: CVSS (Max): 5.9 ICS-CERT published many advisories this week for Industrial Control Systems (ICS) including SCADA (Supervisory Control and Data Aquisition) systems. This OpenSSL issue affects many systems and devices. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, Each week of 2022 seems to be moving at a faster pace than the one before and here we are, at Easter already! Four days to relax, rejoice, reframe – and indulge in far too many chocolate eggs, bunnies, and bilbies along with some hot cross buns of course! It’s also the first week of at least three (four if you’re in Queensland) that have one day less in the working week. Now, whilst that might be celebrated, it also means that we have fewer business days until AUSCERT2022! We have some fantastic Sponsors, Speakers, Tutorials and, some sensational surprises in store this year! Spots are filling fast so, to ensure you don’t miss out, Register today for Australia’s premier cyber security conference. AUSCERT will maintain minimal coverage for the Easter holidays from Friday 15 April to Monday 18 April. AUSCERT staff will be on-call for emergencies only and email will not be monitored during this time. Any AUSCERT member with an emergency may contact on-call AUSCERT staff on the AUSCERT Incident Hotline, details available here. Have a safe, enjoyable and relaxing Easter break everyone! Mandatory cyber security incident reporting now in force Date: 2022-04-12 Author: iTnews Home Affairs minister Karen Andrews has published the implementation of Australia’s critical infrastructure legislation, which makes reporting of information security events mandatory for several industry sectors. Under the Security of Critical Infrastructure 2018 Act, multiple industry assets are deemed to be critical. Security Nihilism Is Putting Your Company and Its Employees at Risk Date: 2022-04-09 Author: Dark Reading When it comes to staying safe and secure in our digital worlds, sometimes it can feel like giving up is the only choice. This idea of “security nihilism” isn’t new. Security teams have always faced incredibly challenging problems while trying to enable safe and trustworthy experiences across all the technology we use. It can be a difficult trap to overcome for security practitioners, but it’s even more dangerous when employees start to feel it. Security nihilism creates new and worsens existing problems that put a company’s data — and the employees who are stewards of that data — at risk. GitHub can now alert of supply-chain bugs in new dependencies Date: 2022-04-08 Author: Bleeping Computer GitHub can now block and alert you of pull requests that introduce new dependencies impacted by known supply chain vulnerabilities. This is achieved by adding the new Dependency Review GitHub Action to an existing workflow in one of your projects. You can do it through your repository’s Actions tab under Security or straight from the GitHub Marketplace. It works with the help of an API endpoint that will help you understand the security impact of dependency changes before adding them to your repository at every pull request. Creating a Security Culture Where People Can Admit Mistakes Date: 2022-04-12 Author: Dark Reading Andy Ellis, advisory CISO for Orca Security and a longtime Akamai veteran, likes to tell a story about a potentially serious security incident. One of his team members was testing the email integration of a new incident tracking system. Unfortunately, the test email, titled “[TEST] Meteor strike destroys the headquarters,” went to everyone in the company and created a loop that crashed the mail servers. As Ellis recounts, “The next day the responsible employee tweeted a picture of themselves training for a 5K run, and I replied, ‘Preparing to outrun the meteor?'” New pilot program to help meet urgent demand for cyber security skills Date: 2022-04-12 Author: Riotact Cyber security may have been a big winner in the Federal Budget but finding the people to make the Federal Government’s ambitious plans a reality will be challenging. The ACT Government and Digital Skills Organisation (DSO) aims to help address the cyber skills shortage and meet the needs of the ACT’s growing tech sector with a new 12-month pilot program through the Canberra Cyber Hub. It will focus on developing a new National Skills Framework for cyber security in cooperation with industry. ESB-2022.1488.2 – UPDATED ALERT VMware products: CVSS (Max): 9.8 VMware has now confirmed the exploitation of CVE-2022-22954 has occurred in the wild ESB-2022.1560 – Adobe Commerce and Magento Open Source: CVSS (Max): 9.1 Adobe Commerce and Magento Open Source are vulnerable to Remote Code Execution. Adobe has released patches to address the issue ESB-2022.1623 – ALERT Cisco Wireless LAN Controller: CVSS (Max): 10.0 Cisco has released advisory regarding a critical authentication bypass vulnerability affecting several Wireless controllers ASB-2022.0085 – ALERT Microsoft Windows products: CVSS (Max): 9.8 Microsoft has addressed multiple vulnerabilities during Patch Tuesday in its upstream Windows products ASB-2022.0086.3 – UPDATE Nginx Zero-Day Multiple mitigation measures are available for the recent zero day vulnerability for nginx web server Stay safe, stay patched and have a good weekend! The AUSCERT team

BDO and AUSCERT say the federal government’s technology investment boost is a good first step to heighten the resilience of Australian businesses. However, there is a need for business guidance to avoid another ‘pink batts’ fiasco. The emergence of questionable ‘pop-up’ providers is a reality, say the industry experts. On 29 March 2022, as part of the 2022–23 Budget, the Australian Government announced it will support small business via the Small Business Technology Investment Boost and Small Business Skills and Training Boost. Small businesses with annual turnover of less than $50 million will be able to deduct 120% of eligible training and assets, such as cyber security systems or subscriptions to cloud-based services, in their 2022–23 tax return. AUSCERT and BDO are calling for guidance to be provided for SME’s looking to take advantage of the government incentives to mitigate the chance of inadequate governance. “AUSCERT recognises the significance of the latest federal government announcement and hope the promise will be matched equally by delivery,” said AUSCERT Director David Stockdale. “While it is easy for a government in the runup to an election to make promises, the true benefit is in recognising the needs of SME’s and then delivering the training that will lift the cyber security posture of these organisations. This is a huge task, and with additional pressures on the already stretched Australian Cyber Security Centre to be actively involved with additional critical infrastructure requirements amongst other things, it will fall to the private sector to fill the gap.” “Helping SMEs to understand the threats, assess their own risk landscape and implement proportional controls is critical, and is no easy task. Risk management and cybercrime awareness aren’t the core business of most SMEs, and history has shown that even large corporates can fall victim to wide scale breaches if inadequate governance is in place over contractors such as managed Cyber Security Operations Centres,” noted David. “Training, and regulation of the training, needs to address these knowledge gaps – let’s hope we do not see providers pedalling a “silver bullet” course and we find ourselves looking back and see another ‘pink batts’ fiasco.” The latest BDO and AUSCERT Cyber Security Survey found incidents requiring data recovery efforts also rose by 160% from 2020, suggesting that cyber attacks are becoming more destructive and laser focused. BDO Partner and National Cyber Security Leader Leon Fouche said, “The technology investment boost is a great first step to heighten the resilience of Australian businesses. However, the government announcements to help drive training creates a ripe environment for ineffective training and providers to pop up.” The BDO and AUSCERT survey found that 2021 saw a staggering 175% increase for data breaches caused by accidental emails, such as ‘CC’ing’ instead of ‘BCC’ing’, indicating that staff security awareness training may not be as robust as needed in the wake of remote working arrangements “With the steady increase in working remotely driven by the pandemic there is growing awareness of the need for training,” said Leon. “Indeed, our report showed that 1 in 4 organisations have invested in some form cyber awareness training. Yet most organisations don’t have a chief security officer, or specialist security contractor on speed dial to keep up with the rapidly changing landscape of cyber threats, so the government will need to be able to provide SME’s with a starting point and ongoing support to really help these incentives be impactful.” The BDO and AUSCERT Cyber Security Survey found that 60% of organisations use some form of cyber threat intelligence, meaning those who are not continually learning about new cyber threats are lagging behind their peers. The survey identified several steps business can take to significantly lessen cyber incidents, including onboarding Security Operations Centres, implementing Cyber Awareness Training, undertaking Supply Chain Risk Assessments, and creating Cyber Incident Response Plans. “No doubt the incentives announced by the government will drive SMEs signing on to training and purchasing assets,” commented Leon. “Whether this means a business’s first training course for their staff or upskilling of those employees who already have some awareness training. What is key is guidance on how business can best invest so their efforts are most effective, including avoiding investment in poor training or assets.” BDO forensic expert Stan Gallo said, “Rather than just handing money to the SME owners and leaving them to it, an alternative approach might be to first guide them to where they can discuss the possibilities and get advice on technology investment that can take their business to the next level. There is a lot more to digital evolution than a flashy website or a cloud subscription and throwing money at SME business. Stan noted that the Technology Investment Boost will be a great opportunity to enhance cybersecurity, but hardly revolutionary. “The Technology Investment Boost is terrific for innovative tech driven start-ups and entrepreneurial business, but mature SME’s looking to grow still need to understand the basics of how technology can enhance their business, in addition to standard backend operations. Many people that have laboured over the years and built up a successful business, particularly in traditionally non technology driven areas, still need assistance to understand technology investment and how it can add value to their business operations.” “There is an increased risk the money will be spent on standard IT support and lacklustre training provided by questionable ‘pop-up’ providers,” cautioned Stan. “The types of threats we are seeing continue to evolve in line with current events and technologies, but at their core, there remain many similarities. Phishing, ransomware encryption, business email compromise and data theft are still ever present,” noted Stan. “However, there has been some insidious countermovement. For example, on the back of a growing trend of heightened preparedness and recoverability, thereby denying ransom payments, the ‘standard’ ransomware attack is now regularly linked to an initial theft of data to provide two bites at the cherry. If the victim is not going to pay the ransom – then maybe, they will pay to get their confidential data back. As usual there are no guarantees either way.” You can view a copy of the BDO and AUSCERT Cyber Security Survey at the following link: Cyber Survey Report 2021

Greetings, Late yesterday, VMware confirmed that it had patched eight bugs in an array of its products. Many news sources, including The Hacker News, have advised that the vulnerabilities could be exploited with five of the bugs identified as critical. The five products affected are Workspace ONE Access, Identity Manager, vRealize Automation, Cloud Foundation, and vRealize Suite Lifecycle Manager. It is advised that the vulnerabilities should be patched as soon as possible with a bulletin issued by AUSCERT yesterday with further information: ESB-2022.1488. If you weren’t already aware, each of the remaining working weeks in April are just four days long courtesy of some well-placed public holidays! Whilst that ensures consecutive long weekends, it also means that time is running out to book your spot at our 21st Annual AUSCERT Cyber Security Conference, AUSCERT2022. There are also limited booths remaining for our exhibition is full! If you’re interested in Sponsorship, contact our team via email: conference@auscert.org.au Feds slay dark-web souk Hydra: Servers and $25m in crypto-coins seized Date: 2022-04-05 Author: The Register US and German federal agencies came down hard on Hydra, the longest-running known dark-web marketplace trafficking in illegal drugs and money-laundering services, with a multi-pronged attack that aimed to cut off multiple heads of the nefarious online beast. First, German federal police in coordination with US law enforcement seized Hydra servers and cryptocurrency wallets containing $25 million in Bitcoin, thus shutting down the online souk. Later on Tuesday, the US Justice Department announced criminal charges against one of the alleged Hydra operators and system administrators, 30-year-old Dmitry Olegovich Pavlov of Russia. Borat RAT: Multiple threat of ransomware, DDoS and spyware Date: 2022-04-04 Author: The Register A new remote access trojan (RAT) dubbed “Borat” doesn’t come with many laughs but offers bad actors a menu of cyberthreats to choose from. RATs are typically used by cybercriminals to get full control of a victim’s system, enabling them to access files and network resources and manipulate the mouse and keyboard. Borat does all this and also delivers features to enable hackers to run ransomware, distributed denial of service attacks (DDoS) and other online assaults and to install spyware, according to researchers at cybersecurity biz Cyble. ASD to create cyber security hubs in three states using REDSPICE budget funding. Date: 2022-04-06 Author: iTnews The Australian Signals Directorate will create cyber security hubs in Melbourne, Brisbane and Perth after receiving $9.9 billion in the federal budget to boost its offensive and defensive capabilities. Amid criticism over its plan to double in size over the next decade, director-general Rachel Noble told senate estimates the new hubs would allow the cyber spy agency to tap into a wider talent pool. This new malware targets AWS Lambda environments | ZDNet Date: 2022-04-06 Author: zdnet A new malware variant that targets AWS Lambda has been discovered. On Wednesday, researchers from Cado Security published their findings on Denonia, malware currently being used in targeted attacks against Lambda. Lambda is a scalable compute service offered by Amazon Web Services (AWS) for running code, server and OS maintenance, capacity provisioning, logging, and operating numerous backend services. VMware admins asked to patch eight vulnerabilities – Security – iTnews Date: 2022-04-07 Author: itnews VMware has patched eight bugs in five of its products that were uncovered by Qihoo 360 security researcher Steven Seeley. An advisory notes the eight vulnerabilities affect five different products: Workspace ONE Access, Identity Manager, vRealize Automation, Cloud Foundation, and vRealize Suite Lifecycle Manager. Workspace ONE Access is impacted by two critical authentication bypass vulnerabilities, denoted as CVE-2022-22955 and CVE-2022-22956. They would allow an attacker to “bypass the authentication mechanism and execute any operation due to exposed endpoints in the authentication framework”, the advisory says. ESB-2022.1418.2 – UPDATE GitLab Community Edition (CE) and Enterprise Edition (EE): CVSS (Max): 9.1 GitLab released fixed versions for Community Edition and Enterprise Edition to address multiple vulnerabilities including a critical vulnerability which could allow account takeover. ESB-2022.1444.4 – UPDATE Cisco Products: CVSS (Max): 9.8 Acknowledging the recent Spring Framework vulnerability, Cisco has been updating its advisory identifying multiple affected products ESB-2022.1480 – Firefox: CVSS (Max): 7.5* Mozilla has updated Firefox version to 99 which fixes multiple vulnerabilities ESB-2022.1484.2 – UPDATED ALERT Tenable.sc: CVSS (Max): 9.8 Tenable has released patch for Tenable.sc addressing 2 vulnerabilities including a critical CVE-2022-23943 ESB-2022.1488 – ALERT VMware products: CVSS (Max): 9.8 VMware released patches to address critical vulnerabilities in several products Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, The latest episode of our podcast is here! We discuss Security Orchestration, Automation, and Response, or SOAR, the topic for last year’s conference and how it can benefit organisational processes, automation and improving efficiencies – regardless of size. You’ll also hear from the AUSCERT team about the malicious URL feed and how it works with SOAR, Member Slack, AUSCERT’s AusISAC and how these can benefit members as well as a bit of a teaser for the upcoming cyber security conference. AUSCERT is gearing up to deliver a range of training sessions, aimed at anyone that looks after their organisation’s cyber security. Our next course, Incident Response Planning, is being held next week on April 5 & 6. The courses are delivered virtually and in two half-day sessions from 9 am to 12:30 pm each day. Learning outcomes for participants: Understand the NIST IR (incident response) process; Self-assess IR process maturity; Design and implement a Cyber Security Incident Response Plan; Create and customise cyber security incident playbooks; Understand the usefulness of cyber security policies and frameworks to IR; Gain awareness of the most common cyber security attacks; and, Appreciate the role of tabletop discussion exercises in IR planning and improvement Places are limited so be sure to secure your spot and book now. Lastly, today is April Fool’s Day when pranks and jokes are played for laughs, as long as they don’t go too far! What we all need right now, is some joy and laughter so why not take a moment to browse some of the great April Fools pranks from history that includes the Left-Handed Whopper, Smell-o-vision and Gmail Motion, a new technology that would allow people to write emails using only hand gestures! IoT warning: Hackers are gaining access to UPS devices. Here’s how to protect yours Date: 2022-03-30 Author: ZDNet Change the default user name and password settings on your internet-connected uninterruptible power supply (UPS) units, the US government has warned. UPS units are meant to provide power backup to keep devices, appliances and applications connected to the internet by supplying off-grid power to places like a data center during a power outage. But hackers have been targeting internet-connected UPS units to disrupt the backup power supply. The Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Energy (DOE) said they “are aware of threat actors gaining access to a variety of internet-connected uninterruptable power supply (UPS) devices.” Russia facing internet outages due to equipment shortage Date: 2022-03-28 Author: Bleeping Computer Russia’s RSPP Commission for Communications and IT, the country’s largest entrepreneurship union, has warned of imminent large-scale service Internet service outages due to the lack of available telecom equipment. To raise awareness, the commission has compiled a document that reflects the practical challenges facing the industry in Russia at this time and also presents a set of proposals specifically crafted to alleviate them. Russian media that have seen the document in question say that the warning is dire, as the commission highlights the reserves of telecom operator equipment will only last for another six months. Lapsus$ found a spreadsheet of accounts as they breached Okta, documents show Date: 2022-03-29 Author: TechCrunch The Lapsus$ hackers used compromised credentials to break into the network of customer service giant Sitel in January, days before subsequently accessing the internal systems of authentication giant Okta, according to documents seen by TechCrunch that provide new details of the cyber intrusion that have not yet been reported. Customers only learned of Okta’s January security breach on March 22 after the Lapsus$ hacking group published screenshots revealing it had accessed Okta’s internal apps and systems some two months earlier. Okta admitted the compromise in a blog post, and later confirmed 366 of its corporate customers are affected by the breach, or about 2.5% of its customer base. Hackers Hijack Email Reply Chains on Unpatched Exchange Servers to Spread Malware Date: 2022-03-28 Author: The Hacker News A new email phishing campaign has been spotted leveraging the tactic of conversation hijacking to deliver the IcedID info-stealing malware onto infected machines by making use of unpatched and publicly-exposed Microsoft Exchange servers. “The emails use a social engineering technique of conversation hijacking (also known as thread hijacking),” Israeli company Intezer said in a report shared with The Hacker News. “A forged reply to a previous stolen email is being used as a way to convince the recipient to open the attachment. This is notable because it increases the credibility of the phishing email and may cause a high infection rate.” The latest wave of attacks, detected in mid-March 2022, is said to have targeted organizations within energy, healthcare, law, and pharmaceutical sectors. Critical Sophos Firewall vulnerability allows remote code execution Date: 2022-03-27 Author: Bleeping Computer Sophos has fixed a critical vulnerability in its Sophos Firewall product that allows remote code execution (RCE). Tracked as CVE-2022-1040, the authentication bypass vulnerability exists in the User Portal and Webadmin areas of Sophos Firewall. On Friday, Sophos disclosed a critical remote code execution vulnerability impacting Sophos Firewall versions 18.5 MR3 (18.5.3) and earlier that the company released hotfixes for. Zero-Day Vulnerability Discovered in Java Spring Framework Date: 2022-03-31 Author: Dark Reading A zero-day vulnerability found in the popular Java Web application development framework Spring likely puts a wide variety of Web apps at risk of remote attack, security researchers disclosed on March 30. The vulnerability — dubbed Spring4Shell and SpringShell by some security firms — has caused a great deal of confusion over the past 24 hours as researchers struggled to determine if the issue was new, or related to older vulnerabilities. Researchers with cybersecurity services firm Praetorian and threat intelligence firm Flashpoint independently confirmed that the exploit attacks a new vulnerability, which could be exploited remotely if a Spring application is deployed to an Apache Tomcat server using a common configuration. Google: Russian phishing attacks target NATO, European military Date: 2022-03-30 Author: Bleeping Computer The Google Threat Analysis Group (TAG) says more and more threat actors are now using Russia’s war in Ukraine to target Eastern European and NATO countries, including Ukraine, in phishing and malware attacks. The report’s highlight are credential phishing attacks coordinated by a Russian-based threat group tracked as COLDRIVER against a NATO Centre of Excellence and Eastern European militaries. The Russian hackers also targeted a Ukrainian defense contractor and several US-based non-governmental organizations (NGOs) and think tanks. Okta: “We made a mistake” delaying the Lapsus$ hack disclosure Date: 2022-03-27 Author: Bleeping Computer Okta has admitted that it made a mistake delaying the disclosure of hack from the Lapsus$ data extortion group that took place in January. Additionally, the company has provided a detailed timeline of the incident and its investigation activities. On Friday, Okta expressed regret for not disclosing details about the Lapsus$ hack sooner and shared a detailed timeline of the incident and its investigation. Australian Budget 2022 delivers AU$9.9 billion for spicy cyber Date: 2022-03-29 Author: ZDNet The federal government has released its 2022-23 federal Budget, containing a AU$9.9 billion kitty for bolstering cybersecurity and intelligence capabilities in the midst of a growing cyberthreat landscape around the world. The near-AU$10 billion will be spent across a decade under a program called Resilience, Effects, Defence, Space, Intelligence, Cyber and Enablers (REDSPICE). “This is the biggest ever investment in Australia’s cyber preparedness,” said Treasurer Josh Frydenburg, who announced the Budget on Tuesday night. Hive ransomware shuts down California health care organization Date: 2022-03-30 Author: The Record Partnership HealthPlan of California, a nonprofit that helps hundreds of thousands of people access health care in California, is in the midst of being attacked by the Hive ransomware group. The organization is one of the largest Medi-Cal Managed Care Plan providers in Northern California and serves more than 610,000 Medi-Cal beneficiaries in 14 northern California counties. It is unclear when the attack began and Partnership HealthPlan of California is currently unable to respond to requests for comment, but local California newspaper The Press Democrat was the first to report on March 24 that the organization was facing technical issues. ASB-2022.0075 – Spring Boot and Spring Cloud: CVSS (Max): 9.8 AUSCERT released an advisory to its members which includes information on Spring Framework vulnerability. AUSCERT encourages the affected members to review mitigation information and act accordingly. ESB-2022.1346.3 – UPDATE vCenter Server and Cloud Foundation: CVSS (Max): 5.5 Updates have been released to remediate information disclosure vulnerability in VMware vCenter Server. ESB-2022.1310 – chromium: CVSS (Max): None The users are encouraged to upgrade their chromium packages to fix a security issue that could result in the execution of arbitrary code if a malicious website is visited. ESB-2022.1411 – Google Chrome: CVSS (Max): None Google has addressed multiple vulnerabilities with the release of Chrome version 100. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, Earlier this week, the Okta breach saw many of their customers worldwide become alerted to the potential risk with third party vendors. The group suspected of causing the breach, Lapsus$, were also involved in attacks on Microsoft and Nvidia. itnews reported early Friday morning, that several suspects had been arrested in London following an investigation into the ransom-seeking gang. Some of those arrested are said to only be aged between 16 and 21. AUSCERT issued an ASB on Thursday, March 24th, about the Lapsus $ Okta incident, which can be viewed at the following link: ASB-2022.0073 As the war in Ukraine enters a second month, the heightened risk concerning a major cyber attack from Russia on the USA has resulted in speculation that the Australia, New Zealand and United States Security Treaty (ANZUS) is expected to be activated. Such an attack would come as retaliation for sanctions imposed upon Russia, including by Australia. However, should Australia be a target for such retaliatory action, assurance has been given by Joe Biden’s top cyber security advisor that the US would respond. The Sydney Morning Herald provides further details that include the White House issuing a statement for all companies to “lock the digital door” against potential attacks. The AUSCERT team has received a flurry of emails and calls concerning the upcoming AUSCERT2022 Cyber Security Conference which is a fantastic sign that people out there are interested in coming along. Our line-up of speakers has been confirmed and we are fine tuning the program that we will be sure to let everyone know about when it’s ready for you to peruse! In the meantime, be sure to check out who we have coming along and, a little more about this year’s theme, Rethink, Reskill, Reboot. Authentication firm Okta probes report of digital breach Date: 2022-03-23 Author: Reuters Authentication services provider Okta Inc (OKTA.O) is investigating a report of a digital breach, the company said on Tuesday, after hackers posted screenshots showing what they claimed was its internal company environment. A hack at Okta could have major consequences because thousands of other companies rely on the San Francisco-based firm to manage access to their own networks and applications. The company was aware of the reports and was investigating, Okta official Chris Hollis said in a brief statement. Okta: Lapsus$ attackers had access to support engineer’s laptop Date: 2022-03-23 Author: ZDNet Okta says that a rapid investigation into the sharing of screenshots appearing to show a data breach has revealed they relate to a “contained” security incident that took place in January 2022. Okta, an enterprise identity and access management firm, launched an inquiry after the LAPSUS$ hacking group posted screenshots on Telegram that the hackers claimed were taken after obtaining access to “Okta.com Superuser/Admin and various other systems.” Microsoft confirms they were hacked by Lapsus$ extortion group Date: 2022-03-22 Author: Bleeping Computer Microsoft has confirmed that one of their employees was compromised by the Lapsus$ hacking group, allowing the threat actors to access and steal portions of their source code. Last night, the Lapsus$ gang released 37GB of source code stolen from Microsoft’s Azure DevOps server. The source code is for various internal Microsoft projects, including for Bing, Cortana, and Bing Maps. In a new blog post published tonight, Microsoft has confirmed that one of their employee’s accounts was compromised by Lapsus$, providing limited access to source code repositories. New Phishing toolkit lets anyone create fake Chrome browser windows Date: 2022-03-19 Author: Bleeping Computer A phishing kit has been released that allows red teamers and wannabe cybercriminals to create effective single sign-on phishing login forms using fake Chrome browser windows. When signing into websites, it is common to see the option to sign with Google, Microsoft, Apple, Twitter, or even Steam. White House issues call to action in light of new intelligence on Russian cyberthreat Date: 2022-03-21 Author: CyberScoop The Biden administration renewed calls Monday for the private sector to address known vulnerabilities and shore up cyberdefenses in light of a looming possibility of a cyberattack from Russia on U.S. infrastructure. The latest warning is “based on evolving threat intelligence, that the Russian government is exploring options for potential cyberattacks on critical infrastructure in the United States,” Anne Neuberger, the White House’s deputy national security adviser for cyber and emerging technology, said at a press conference Monday. A Closer Look at the LAPSUS$ Data Extortion Group Date: 2022-03-23 Author: Krebs on Security Microsoft and identity management platform Okta both this week disclosed breaches involving LAPSUS$, a relatively new cybercrime group that specializes in stealing data from big companies and threatening to publish it unless a ransom demand is paid. Here’s a closer look at LAPSUS$, and some of the low-tech but high-impact methods the group uses to gain access to targeted organizations. BitRAT malware now spreading as a Windows 10 license activator Date: 2022-03-21 Author: Bleeping Computer A new BitRAT malware distribution campaign is underway, exploiting users looking to activate pirated Windows OS versions for free using unofficial Microsoft license activators. BitRAT is a powerful remote access trojan sold on cybercrime forums and dark web markets for as low as $20 (lifetime access) to any cybercriminal who wants it. As such, each buyer follows their own approach to malware distribution, ranging from phishing, watering holes, or trojanized software. Australia launches federal cybercrime centre as part of national plan Date: 2022-03-21 Author: ZDNet Australian Home Affairs Minister Karen Andrews has launched a centre to bolster the country’s cybercrime fighting efforts. The AU$89 million cybercrime centre forms part of Home Affairs’ national plan to combat cybercrime, which was announced alongside the centre’s launch on Monday morning. The AU$89 million was provided through the AU$1.67 billion in funding for Australia’s cybersecurity strategy by the federal government. Andrews said the national plan and the Australian Federal Police’s (AFP) new cybercrime centre, called Joint Policing Cybercrime Coordination Centre (JPC3), would bring together the experience, powers, capabilities, and intelligence needed to build a strong, multi-faceted response. Newer Conti ransomware source code leaked out of revenge Date: 2022-03-20 Author: Bleeping Computer A Ukrainian security researcher has leaked newer malware source code from the Conti ransomware operation in revenge for the cybercriminals siding with Russia on the invasion of Ukraine. Conti is an elite ransomware gang run by Russian-based threat actors. With their involvement in developing numerous malware families, it is considered one of the most active cybercrime operations. However, after the Conti Ransomware operation sided with Russia on the invasion of Ukraine, a Ukrainian researcher named ‘Conti Leaks’ decided to leak data and source code belonging to the ransomware gang out of revenge. Microsoft Azure developers targeted by 200-plus data-stealing npm packages Date: 2022-03-24 Author: The Register A group of more than 200 malicious npm packages targeting developers who use Microsoft Azure has been removed two days after they were made available to the public. ASB-2022.0071 – .au direct domain names: AUSCERT’s advisory for its members contains important information about .au Direct Domain names. We encourage all our members who consider their domains to be registered in .au direct, to do so within six months to avoid any potential issues arising later. ASB-2022.0072 – Potential Cyberattacks : US President warns the public to be aware of possible escalation of cyber-attacks from Russia. ASB-2022.0073 – Lapsus $ Okta incident: AUSCERT’s advisory on Lapsus$ Okta incident includes Microsoft recommended defence against DEV-0537. ESB-2022.1275 – VMware Carbon Black App Control (AppC): CVSS (Max): 9.1 Updates are available to remediate the vulnerabilities in VMware Carbon Black App Control. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, Today, March 18th, is World Sleep Day – yes, really! There are many benefits from having quality sleep that includes improved mental health, mood, and decision-making. It has also been recognised as significant in preventative health and wellbeing, alongside fitness and nutrition. There are many ways that we can each improve our sleep that ranges from exercise in the morning to a warm shower at night and setting cut-off times from technology each evening to allow a wind down before sleep. The Sleep Health Foundation is on a mission to improve as many lives through better sleep and have a range of resources and activities designed to help them with that goal. Some folks that may be taking on some suggestions on improved sleep ahead of their presentations are our Speakers for this year’s AUSCERT2022 Cyber Security Conference! That’s right, we have officially announced our line-up that includes Keynote Speakers Kath Koschel of The Kindness Factory and Lesley Carhart amongst some familiar faces and first-timers. Visit the AUSCERT2022 website to see our speaking line-up and, perhaps register yourself to come along to the Gold Coast this May? Lastly, we wanted to advise, or remind those in the know, of the upcoming release of .au direct domain names. As detailed in our recent blog, the Australian Domain Administration (auDA) will be making the shorter and simpler domain names available from Thursday, March 24th, 2022. The blog highlights the advantages of the upcoming release but also outlines some precautionary measures that may apply to you and your business. QNAP warns severe Linux bug affects most of its NAS devices Date: 2022-03-14 Author: Bleeping Computer Taiwanese hardware vendor QNAP warns most of its Network Attached Storage (NAS) devices are impacted by a high severity Linux vulnerability dubbed ‘Dirty Pipe’ that allows attackers with local access to gain root privileges. The ‘Dirty Pipe’ security bug affects Linux Kernel 5.8 and later versions, even on Android devices. If successfully exploited, it allows non-privileged users to inject and overwrite data in read-only files, including SUID processes that run as root. Android malware Escobar steals your Google Authenticator MFA codes Date: 2022-03-12 Author: Bleeping Computer The Aberebot Android banking trojan has returned under the name ‘Escobar’ with new features, including stealing Google Authenticator multi-factor authentication codes. The new features in the latest Aberebot version also include taking control of the infected Android devices using VNC, recording audio, and taking photos, while also expanding the set of targeted apps for credential theft. New ransomware LokiLocker bundles destructive wiping component Date: 2022-03-17 Author: CSO Online A new ransomware operation dubbed LokiLocker has slowly been gaining traction since August among cybercriminals, researchers warn. The malicious program uses a relatively rare code obfuscation technique and includes a file wiper component that attackers could use against non-compliant victims. “LokiLocker is a relatively new ransomware family targeting English-speaking victims and Windows PCs. The threat was first seen in the wild in mid-August 2021,” researchers from BlackBerry’s Research & Intelligence Team said in a new report. New Linux botnet exploits Log4J, uses DNS tunneling for comms Date: 2022-03-15 Author: Bleeping Computer A recently discovered botnet under active development targets Linux systems, attempting to ensnare them into an army of bots ready to steal sensitive info, installing rootkits, creating reverse shells, and acting as web traffic proxies. The newly found malware, dubbed B1txor20 by researchers at Qihoo 360’s Network Security Research Lab (360 Netlab), focuses its attacks on Linux ARM, X64 CPU architecture devices. The botnet uses exploits targeting the Log4J vulnerability to infect new hosts, a very appealing attack vector seeing that dozens of vendors use the vulnerable Apache Log4j logging library. Ukraine invasion opens political rift between cybercriminals Date: 2022-03-15 Author: The Register Cybercriminals are taking sides over Russia’s deadly invasion of Ukraine, putting either the West or Moscow in their sights, according to Accenture. The consultancy giant’s Cyber Threat Intelligence team, which tracks illicit dark-web activity, said in a report dated Monday that this is the first time it has witnessed “financially motivated threat actors divided along ideological factions.” ESB-2022.1083 – macOS Monterey: CVSS (Max): 9.1* Apple has released advisory to address multiple vulnerabilities in the packages used in macOS ESB-2022.1076 – Apache HTTP Server: CVSS (Max): 7.4 Multiple vulnerabilities affecting Apache HTTP server have been fixed in version 2.4.53 ESB-2022.1108 – squid: CVSS (Max): 9.6 An incorrect input validation vulnerability leading to cache poisoning has been addressed ESB-2022.1147 – Bind 9.18.0: CVSS (Max): 7.0 ISC advises updates to Bind to address multiple vulnerabilities. ESB-2022.1165 – Treck TCP/IP Stack: CVSS (Max): 10.0 Treck TCP/IP Stack is widely used in embedded systems. It is recommended to update the version to 6.0.1.67 or later ASB-2022.0070 – Microsoft Edge (Chromium-based): CVSS (Max): 6.3* Microsoft has advised users to update Edge (Chromium based) to address multiple vulnerabilities assigned by Google Chrome Stay safe, stay patched and have a good weekend! The AUSCERT team

From 24 March 2022, the Australian Domain Administration (auDA) will be introducing a new option for Australian internet users with the availability of .au direct domain names. The shorter and simpler domain names (such as pavlova.au, station.au and so on) will be open to individuals and organisations that wish to have an online presence, new or existing, with the proviso that they have a verified connection to Australia. Whilst offering convenience for businesses and individuals, it also presents an opportunity for cybercriminals to create malicious domains. At AUSCERT, it’s our purpose to understand just what those threats might be to provide our members with an analysis of the situation. While it is impossible to completely prevent all kinds of domain name abuse, the requirements auDA has in place (such as registrants needing to have an ‘Australian presence’) certainly help mitigate against widespread and easy abuse (as is prevalent in many other jurisdictions). auDA has extensive resources available should you wish to learn more, including detailed information regarding registering domain names in .au direct, timelines, domain conflict resolution and so on. In addition, you can contact your preferred domain retailer. However, in brief, some points of note are: auDA continues with its strict rules against .au domains being used in any malicious or illegal activities and will take action against recognised offenders. auDA will provide priority registration to those organisations with existing registered domains to the same name in ‘.au’. For example, here at AUSCERT, we have ‘auscert.org.au’ which gives us priority to register and use ‘auscert.au’. This priority period is for six months from the launch date (24 March 2022) to register the ‘.au’ domain after which, it becomes available to anyone. Essentially, this means you have until 20 September 2022 to register any existing domain names you wish to have the new ‘.au’ version of. An “Australian presence” will be required to register a .au direct domain and essentially requires one of: An ABN A Trademark number Australian identification document (passport, driver’s license, etc.) So, what does this mean for you? Be aware that the .au direct domains are being launched on 24 March 2022. Consider which of your existing domains you may wish to register in .au direct. We encourage all members wishing to undertake this process, to do so within six months to avoid any potential issues arising later. Determine whether there may be any potential conflicts with other domain name registrants and understand the auDA process for resolving the conflicts. Check the auDA website for complete details. Contact your preferred domain retailer to register your new domains. Consider which new (rather than existing) domain names you may wish to register. Be aware that the opening up of a new domain space always provides a potential for the resurgence of domain abuse (such as domain squatting, phishing, etc) and take pre-emptive measures such as domain registration in the new domain space. Please contact the team at AUSCERT if you have any security-related questions relating to the introduction of .au direct domains you believe we can assist with. All other questions concerning, for example, domain registration, conflict resolution and so on are best dealt with by reviewing auDA’s or your retailer’s .au direct resources.

Greetings, We are excited to announce our second keynote speaker for AUSCERT2022, Lesley Carhart. Lesley, also known by her Twitter handle ‘Hacks4Pancakes’, is the Director of Incident Response for North America at the industrial cybersecurity company Dragos, Inc., leading response to and proactively hunting for threats in customers’ ICS environments. You may find Lesley organizing resume and interview clinics at several cybersecurity conferences, lecturing, and blogging and tweeting prolifically about cybersecurity. When not working, Lesley enjoys being a youth martial arts instructor. This is Lesley’s first time speaking in-person Down Under and we can’t wait to see them on the Gold Coast in May! If you’d like to see Lesley in person or, perhaps one of our many other informative and engaging presenters, why not register today to ensure that you don’t miss out? AUSCERT2022 will again be held at The Star Gold Coast and will be broadcast virtually, allowing you to attend in the format that suits you best. As it enters the second week, the invasion of Ukraine continues to reveal risks, real and potential, for individuals and organisations the world over. Harvard Business Review discusses possible preventative measures to take in order to be as safe as possible and, what a global cyberwar may look like. New Linux bug gives root on all major distros, exploit released Date: 2022-03-07 Author: Bleeping Computer [Refer AUSCERT Security Bulletin: ASB-2022.0061] A new Linux vulnerability known as ‘Dirty Pipe’ allows local users to gain root privileges through publicly available exploits. Today, security researcher Max Kellermann responsibly disclosed the ‘Dirty Pipe’ vulnerability and stated that it affects Linux Kernel 5.8 and later versions, even on Android devices. The vulnerability is tracked as CVE-2022-0847 and allows a non-privileged user to inject and overwrite data in read-only files, including SUID processes that run as root. Malware now using NVIDIA’s stolen code signing certificates Date: 2022-03-05 Author: Bleeping Computer Threat actors are using stolen NVIDIA code signing certificates to sign malware to appear trustworthy and allow malicious drivers to be loaded in Windows. This week, NVIDIA confirmed that they suffered a cyberattack that allowed threat actors to steal employee credentials and proprietary data. The extortion group, known as Lapsus$, states that they stole 1TB of data during the attack and began leaking the data online after NVIDIA refused to negotiate with them. Big tech decries Australia’s anti-trolling Bill for not allowing innocent dissemination defence Date: 2022-03-07 Author: ZDNet Meta, Twitter, and YouTube have all echoed the same concerns about Australia’s proposed anti-trolling laws, saying it would place an “unprecedented level” of defamation risk on social media platforms as it seeks to remove the defence of innocent dissemination. The innocent dissemination defence allows entities, such as social media platforms, to not be liable for defamation if they had no knowledge of the defamatory material, and their failure to detect the material was not due to negligence. Russia-Ukraine war: NYC on ‘ultra-high alert’ amid increased risk of Russian retaliatory cyberattack Date: 2022-03-07 Author: Fox News New York state is facing “increased risk” of cyberattack from Russian retaliators, while city agents have seen more breach attempts amid heightened tensions that have arisen from the Russian invasion of Ukraine, officials said Monday. Sen. Kirsten Gillibrand, a New York Democrat, met with New York City and police department officials on Monday morning. The New York Police Department (NYPD) has found no specific credible cybersecurity threats to the city so far, but not for a lack of effort, officials have said. Samsung confirms hackers stole Galaxy devices source code Date: 2022-03-07 Author: Bleeping Computer Samsung Electronics confirmed on Monday that its network was breached and the hackers stole confidential information, including source code present in Galaxy smartphones. As first reported by BleepingComputer, the data extortion group Lapsus$ leaked at the end of last week close to 190GB of archives claiming to have been stolen from Samsung Electronics. Smartphone malware is on the rise, here’s what to watch out for Date: 2022-03-10 Author: ZDNet There’s been a surge in mobile malware attacks as cyber criminals ramp up their attempts to deliver malicious text messages and applications to users in order to steal sensitive information including passwords and bank details. Cybersecurity researchers at Proofpoint say they detected a 500% jump in attempted mobile malware attacks during the first few months of 2022, with significant peaks at the beginning and end of February. Internet Backbone Giant Lumen Shuns .RU Date: 2022-03-08 Author: Krebs on Security Lumen Technologies, an American company that operates one of the largest Internet backbones and carries a significant percentage of the world’s Internet traffic, said today it will stop routing traffic for organizations based in Russia. Lumen’s decision comes just days after a similar exit by backbone provider Cogent, and amid a news media crackdown in Russia that has already left millions of Russians in the dark about what is really going on with their president’s war in Ukraine. ASB-2022.0062 – ALERT Microsoft Windows, Windows Server, Remote Desktop Client and Image/Video Extensions: CVSS (Max): 8.8 Microsoft has released its monthly security patch update for the month of March 2022 and also noted that exploitation of CVE-2022-24508 is more likely to be targeted by threat actors ESB-2022.0967 – Adobe After Effects: CVSS (Max): 7.8 Adobe has released an update for Adobe After Effects for Windows and macOS. Successful exploitation could lead to arbitrary code execution in the context of the current user ASB-2022.0065 – ALERT Microsoft Exchange Server: CVSS (Max): 8.8 Microsoft recommends updating the software with the version made available on the Microsoft Update Catalogue in its monthly security patch update ESB-2022.0991 – MozillaFirefox: CVSS (Max): 8.8 Mozilla released a security update for two new vulnerabilities in Mozilla Firefox Stay safe, stay patched and have a good weekend! The AUSCERT team